matrix SOURCES

SOURCES OF MISTAKES IN PFD CALCULATIONS FOR SAFETY-RELATED LOOP TYPICALS

Daniel Dupont Lothar Litz Pirmin Netter

University

of Kaiserslautern

University

of Kaiserslautern Infraserv Hbchst

P.O. Box 3049 P.O. Box 3049 Industriepark Hbchst C769

67653 Kaiserslautern 67653 Kaiserslautern

65926 Frankfurt! Main

Germany Germany Germany

Abstract^- In order to

prevent

any harm for human

beings

and environment, IEC 61511

imposes

strict

requirements

on O ve

safety instrumented functions

(SIFs)

in chemical and

ObRject

^ofevalation:

hazarn

^event

pharmaceutical production plants. As measure of quality a

RR RT Rp

risk

Supporting methods

safety integrity

level

(SIL)

of

1, 2,

3 ^or 4 is

postulated

for the | I Risk Risk

SIF. In this contextfor every SIF

realization,

i.e.

safety-related reduction

vi SF matrixgraph LOPA loop, a

SIL-specific

probability of failure on demand (PFD)

must be proven. Usually, the PFD calculation is performed

based on thefailure rates of each loop component aided

by Object

ofevaluation:

safety-related

loop intheSIS commercial software tools. But this

bottom-up approach

Sensor PLC Finalelement Criteria suffers from many uncertainties. Especially a lack of reliable

failure rate data causes many

problems.

Reference data for

HET SEE FED

different environmental conditions ^are available to solve this rPocess

situation.

However,

this

pragmatism

leads toaPFD

bandwidth,

^S

not to a single PFD value as desired. In order to make a Fig. 1:

SILassessment

decision for a numerical value

appropriate

for

plant

Todetermine the process risk

Rp

fora certain hazard case - applications in chemical industry, a data ascertainment has defined as the risk without the SIF needed - a risk analysis been initiated by the European NAMUR within its member must be performed. If

Rp

lies above the tolerable risk RT all companies. Combined with statistical methods their results supporting methods result in one of the four safety integrity display large deficiencies forthe

bottom-up approach.

As one levels (SIL 1 to 4) as risk measure. For any dangerous main sourceof mistakes the distribution ofthe loop PFD has scenario with a SIL classification a SIF must be identified and been identified. The well known percentages for sensor,

logic

installed in the SIS. Thereby, a risk reduction to a residual risk solver andfinal element part often cited in literature could not below the tolerable one should be created.

beconfirmed. The hardware realization of a SIF is given by a safety-

related loop inthe SIS which has tofulfill

SIL-specific

criteria.

Index

Terms -

EO

61511, SIL, SIF, SIS, PFD, Failure During the SIL proof the aimed SIL has to be verified under rates, Confidence

intervals,

considerationofseveral, predominantlyquantitativeconstraints I. INTRODUCTION

imposed by [1].

These criteria describe the structural and I. INTRODUCTION technical loop quality, see

Fig.

1. The most critical criterion impactingon aSILisgiven bytheaverageprobability of failure To guarantee a homogenously high plant

safety

standard on demand

(PFD),

see Table

1.

around theworld,a globaldirectivewascreated

by

IEC61511

[1]. The implementation of this guideline

imposes

strict TABLE

requirements to plantoperators. Onecentral term is

given by

SIL:

PFD

VALUES the

safety

instrumented system

(SIS)

which

implements

one or SIL

PED

targetvalue moresafety instrumentedfunctions

(SIFs).

If theprocess tends SIL

PFD_target_value

to enter adangerous range, theSIS has to interfereand

bring

4 io- .

PED

<

i0-4

the plant to a safe state. For

example,

a SIF

avoiding

the

4<pFD<10-3

hazard case"burst ofavessel hull due to

overpressure"

could

be realized by a

loop

in the SIS

consisting

of two pressure 2 io- '

PED

<

1O-

transmitters connected

by

a 1002 PLC

(1

out of 2 1

1o-2

<

PFD

^< 10- programmable logic controller, for further abbreviations see

chapter

VIII)

to two reliefvalvesoperating inparallel.

IEC 61511 prescribestheperformance of a SILassessment From the technical point of view this quantity denotes the forevery new-installed SIF. In general this processconsists of safety-related

unavailability

of the SIF. It can be calculated in

two parts, see Fig. 1. twodifferent ways:

Bottom-up methods are appropriate to determine the From the pool of single-channel typicals three loops are availabilityofany system consisting ofcomponents with known chosen: one typical for pressure, temperature and level data(failure rates, availability), see [2]. Usually, they are used control. Table 11 shows the types of the used components.

fortheSIL proof. Manufacturers and product names are not listedfor keeping a

In order to check the transferability of bottom-up PFDs onto neutral position. Moreover, an assignment of the modules to the realfailurebehaviorofloops in production plants, top-down superior, more general layers is given, i.e. a classification in methods are applied. They originate from real loops and are sensor, logic solver or final element part. For describing the based on theirstatistics, see [3]. functionality of each typical the monitored process quantities The ideal case would be represented by similar results for as well as the original denotations have been adopted. The the outcomes of both, the bottom-up and the top-down behavior ofthe final element on demand plays an important approach. Applying both methods and comparing their results roleconcerning the choiceoftheappropriatefailurerates. The mirrors large discrepancies whose sources must be located. following information can be derived: All typicals are monitoring For the scope of this paper all examinations are focused on an upper limit value ("+"). On demand for "Pressure" and single-channel loops. "Level" the valves are closed, whereas for"Temperature" the

final element is opened.

11. BOTTOM-UP APPROACH

B. Failure Rate Mining Inorder to get representative results, special SIFrealizations

have to bedefined which can serve as a kind of benchmark. Inthe next stepfailure rate data of each loop component is Afterwards, reliability data are collected for each loop gathered. Normally, this processof data mining is intended to component. Finally, for these so-called typicals the PFD work by ordering so-called SIL conformity declarations from calculation isperformedaidedbycommercialsoftwaretools. the component manufacturers. These documents should contain the relevant information for PFD calculations, i.e. at A. TypicalCompilation least the rateofdangerous, undetectedfailuresADU. In general

three cases occur:

Fixing representative single-channel SIF realizations

requires two properties ofthe typicals. On the one hand their Case 1: A manufacturer declaration Is

available

containing origin should be one ofthe leading chemical companies. On trustworthy failure rates ("X" in Table 11).

the other handtheyare tobequalifiedas standard solutions if Case 2: A manufacturer declaration is available containing apressure-, temperature- or level-basedSIFisrealized. either no failure rates or no trustworthy ones

("O"

in

Table11).

TABLE 11

SINGLE-CHANNEL TYPICALS Case 3: No manufacturer declaration is available

("O"

in

1ool Typical Table

11).

Observed

Unfortunately,

many

typical components

feature insufficient

process Pressure Temp. Level data ("O" in Table 11). Declarations assigned to case 2 mostly quantity suffer from too conservative failure rates. For being on the safe Denotation PIRZ+A+ TIRZ+A+ LIRZ+A+ side many manufacturers run their

component analysis

Behavior of assuming worst case conditions (e.g.

600C

ambient air

final element close open close

temperature). Often,

the

resulting

failure ratesareincreased

by

on demand afinal addition of 10% or more. But also extremely gooddata

Sensing 0 are provided for marketing reasons. Case 3 mainly originates

element x x from a

phenomenon

induced

by

the

component

selection

TransmitSer 0 criteria of chemical companies. Before new developments are

Sensor chosen for safety-critical applications, they must stand

part Transmitter 0 0 X

laboratory phases. Afterwards,

afaultless one-yeartest

period

powerLsupply

^{has to be}

^passed

^{in several}

applications

of the

BPCS. Hence,

input X X X many of these proven-in-use components were developed in

Logic the early years of

IEC

61511 or are even older. In combination

solver PLC x X with devices

having

direct contact with process fluidor

working

part in

aggressive atmospheres, they

suffer from a lackof

reliability

ouPut output

X x

XOne

data. admissible way outforcase2and 3componentswould Solenoid 0 not used not used be own failure rates derived by plant operators in addition to a

driver proven-in-use declaration. But

doing

^so

requires

^an

adequate

Final S lni

element

Solenoid

O O 0 statistical data base for the considered

components.

However, part Actuatorvalve (pilot)0 (pilot)0 (direct)0 the data base volumeas consequence of the company size.ofa

single

concern would be too small

Ball

~~~~~~~~Consequently,

^reference values have to be mined for

valv

affected components

("0"

in Table

11).

X Component with sufficient data.

O Component with no or insufficient data.

TABLEIll PFDLabspecification - reference data derived under

REFERENCE DATA laboratoryconditions (given by

Environment

manufacturers);

Component Laboratory Laboratory Field PFDLab-Field specification - reference data derived under

type

-Field

laboratory conditions modified

ADU ADU ADU by knowledge from small field

[FIT]

[FIT] [FIT]

studies (given by published

RTDand 438 700 5670 data bases);

transmitter

PFDField

specification - reference data derived from

Transmitter 24 150 2835 field studies

mostly

from

power

poweroiupply

suppl ^{24 150 2835 offshore}

applications (given by

driver 0 100 available published data bases);

Solenoid direct 62 Because

PFDLab-Field

denotes a limit value

between

valve pilot

213585

1400

laboratory

and field environment it will^{serve as}worst casefor

Actuator 2193 ⁶⁷⁰ⁱⁿ

laboratory and bestcase for fieldapplicationatthe sametime.

Actuator 19 670 valve data The

proof

^testintervals have been

adapted according

^tothe 19111 NAMUR data in chapter

111.

Table IV contains the PFD 1350 close outcome for the considered 1oo1

typicals.

close 14553

Ball valve 144 960 open TABLE IV

open with BOTTOM-UPPFD BANDWIDTHS

actuator 1 ool Typical PFDbandwidth

1001________________I

[PFDLab;PFDLab-Field; PFDField]

Table

Ill

contains reference data collected under different Pressure (P) [2.09 10-3; 1.20 10-2; 9.48 10-2]

environmental conditions. The

major

datasources arelisted in

[4] to [8]. To avoid anycompetition situation, the sources are Temperature (T) [3.38

10-3;

1.2310-2; 9.84 10-2]

notassigned tothe values. Offshorerates takenfrom [5] have Level (L) [3.21 10-3; 1.28 10-2; 8.48

10-2]

been filtered according to the usage conditions in chemical

and

pharmaceutical industry. Comparing

the orders of

According

to the choice of the reference values the PFDs magnitudegraduatedto differentusage conditions inTable 111,

diverge

^more than one decimal power from each other. In strong deviations are observable. The

laboratory

rates have

comparison

with Table for

laboratory

environment a PFD of

strong

theoretical character because

they

presume clean SIL 2

(best

^case

laboratory)

^or SIL 1

(worst

^case

laboratory)

serviceusage. For realistic considerations thefield influence resultsfor all

typicals.

As

usually

field

application

is ofinterest to beregarded. But withouta

highly sophisticated

maintenance

system the field usage

("'Laboratory-Field"'

and

"'Field"'

In Table ol F fSLI(etadwrtcs il)i eiibe

Illm ^cmes aelo ^whsign comporatoy

^e

ndFelint ^{rates Moreover,}

^no

ranking according

to the monitored process

111)

comes

along

with

significantly

worse

component

rates. If

quantity

is

observable.

additionally offshore ratescomeinto game

("Field"

inTable

111),

high vibrations and corrosive effects lead to even worse

Ill.

TOP-DOWNVALIDATION reference rates. Summing up, the orderof

magnitude changes

from column to column approximately one decimal power.

A.

STATISTICAL DATA BASE

Consequently,

a strong

sensitivity

of the PFD outcome with

respect

tothe choiceof referencedata is to be

expected.

Inorder to validate

if

thebottom-upapproachhas been able C. PFDDetermination tomap realistic PFDsfor fieldconditions, the NAMUR

[10]

has motivated a data ascertainment within

its

member

companies.

In the year 2003 already 33 companies

participated

in this Three commercial software tools are spread over

Germany

activity and from 2004 till 2005 the group of data suppliers to

support

PFD calculations. Two of them make use of the

increased

^to37. Also thebiggestchemical andpharmaceutical PFD formulas given in IEC 61508 [9], whereas the third one

companies provided

their data sets for the three years. The takes Markov Models. As this paper

exclusively

deals with

non-redundant

structures,

non-redundanno significant

strucures,no.sfollown

deviations will be mi

^quantity.

datg^As the materialfti isaabs

gained in

theisi

field,

t

it includes

ult then

expected

due to different tools.

Therefore,

the observance of the process

influence,

i.e. the contact with calculations are done

supported by

one of them without process fluid. The data structure has become more and more

mentioning

itsnameandmanufacturer.

complex

over the years. For the

initial

^year 2002

only

a

As each typical suffers from

missing

or

insufficient

distinction between failures in single-channel and multi- component failure rates, different reference rates have to be channel loops was queried. For 2003 till 2005 a subdivision tested. Hence, the PFD calculation does not lead to a crisp regarding the monitored process quantity raised the data value but to laboratoryand field bandwidths. For each

typical

--- . . ..I

~~~~~~~~~comp)lexitv.

Table Vshows the sinale-channel data sets for the the PFD calculation IS performed three times using

different

three

years.

speifiatins As not all data suppliers give thesubdivision concerning the

monitored processquantity, the elementsof the "Total"groups do not meet the sum of the according subgroups. Moreover,

groups like "Others", "Manual" and "Quality"do exist. However, To derive PFD values from the given data pool, a PFD theyare notconsidered here. formula with adaptation to the NAMUR data is required.

According to [3]the PFD of a 1001 loop can be determined by TABLE V

SINGLE-CHANNEL NAMUR DATA 2003 - 2005 F T

11 Year

GrOUPDangerous,

PFD⁼ (1)

Loops undetected

T, L*AT

²

Year Group [absolute] failures [years]

I [absolute] where

FDU

and L denote the numbers of

dangerous,

TOtal 12,132 41 0.93 undetected failures and loops in Table V.

AT

stands for the

Total

12,132

^{41 0.93} observation period, which is set to one year by the

2003 Pressure

(P)

1,479 11 0.93

interrogation cycle

^ofNAMUR.

Temp.

(T) 1,154 1 0.93 But only using (1) for PFD calculations would not lead to trustworthy values as statistics always imply deficiencies.

Level(L) 1,020 2 0.95 Therefore,

IEC

61511 advises estimating confidence intervals Total 16,172 43 0.93 to

compensate

for statistical inaccuracies. The firststep to do so is finding an appropriate interval estimator. As for the 2004 PreSSUre(P) 2,292 18 0.93 NAMUR data structure a continuous model is not the best Temp.(T) 1,936 5 0.93

choice,

the binomial distribution ^- as exactestdiscrete model Level(L) 1,368 3 0.95

-is

_Assuming^used. _{a binomial} distribution, the interval boundariesfor

Total 18,903 56 0.91 a given confidence level 1 -a are determinedby

12005

|Pressure (P) 2,098 17 0.89 ^L

Temp. (T)

1,600 5

0.94

pw

=max

( ( p) p < for

O

< FDU ^{< L} and (2)

In addition to the individuals ofeach group the numbers of

Pup=

m (1- p)=

pX

for 0 <FDu <

L,

(3) dangerous, undetected failures are listed. This type of failure x=0 x

has the major influence on process safety. It does not only

prevent the loop from proper functioning in the case of a see [10].

demand ingeneral.Additionally, it remains undetected until the Solutions to (2) and (3) are found byiterativemethods. The regular proof test. The proof test intervals in practice have estimated quantityp corresponds to the ratio of

FDU

and L:

been interpolated from statements of data suppliers which

have been providing this information since 2004. Hence, the F

intervals for 2004 are retrospectively assigned to the year p= L (4)

2003. For 2005 new proof test intervals are created by

feedback ofdata

suppliers.

Hence, p can be

interpreted

^asthefailure probabilityrelated In order to compare the results of the typicals with the to AT In ^a last

step,

the p confidence intervals must be valuesofthe NAMUR data, it is not

obligatory

to examine the transformed to PFD confidence intervals.

Thus,

the interval

"Total" groups. But for getting an

impression

ofthe NAMUR boundaries

plow

^and

^Pup

are converted into

PFD10w

and

PFDup

data consistency a consideration ofthe whole 1001 data pool by combining (1)and

(4):

isveryuseful.

B. PFDCONFIDENCEINTERVALESTIMATION PFD=p

T.

⁽⁵⁾

2AT Initially,thefollowing assumptionsaremade:

Table

VI

shows the generated PFDconfidence intervalsfor 1. Only dangerous, undetected failures are PFD the NAMUR data. The confidence level has been chosen as

relevant, dangerous,detected onesnegligible. 70%in accordance with

IEC

61511

[1].

2. Failurerates are constantovertime.

Analyzing

the upperinterval boundaries

(worst

case

"field"),

all 3. MTTR ^<< MTTDDU, because normally MTTR ⁼ 8h PFD values are located in the PFDrangeof SIL 2. Theset of andMTTDDU>0.5 Y. lower interval boundaries

(best

case

"field")

contains elements 4. ADU T«^<< 1. from SIL 2 to SIL 4. Furthermore, a ranking concerning the 5. The failure detection and repair duringthe prooftest monitored process

quantity

is derivable:

"Temperature"

and is perfect (PTC= 100%). "Level" show almost the same PFD

quality,

"Pressure" is 6. For the NAMUR data the

following

holds: Each worse.

safety-related loop can only suffer from at most one

Evaluating

the

bottom-up

PFDs with the

top-down intervals,

dangerous, undetected failure during the observation there is a gap of almost two

SlLs.

Hence, these large period of one year. deviations between theory (bottom-up approach) and practice

(top-down approach) must be examined.

TABLEVI Bysplitting the PFD outcomes of the typicals, theequivalent PFD CONFIDENCE INTERVALS percentage distributions for the bottom-up approach are Year T Group II

PFD [PFDi0w;

confidence interval

^PFDup]

derivable. The following specificationsand worst case typical distributions (field), see Figs. 2are used for getting best- 5

Total [1.321

0-3;

1.871

0-3]

"Typical (field)".

Pressure (P) [2.4010-3 4.8910-3]

Typical (field):

2003 ,Tpcl(ll)

Temp. (T) [6.55

10-5;

1.36

10-3]

best case -

PFDLab-Field

distribution Level (L) [3.1810-4; 2.2010-3] worst case - PFDFielddistribution

Total

[1.0410-3;1.46104]0-

^{Forreasons of}

completeness

the same

pragmatism

is also Pressure (P) [2.78

10-3

4.77

10-3]

transferred to the typical bandwidths (laboratory). For this the

2004 4 3 just given specification is modified, see Figs. 2 - 5 "Typical

Temp. (T) [6.6910 2.0410-] (laboratory)".

Level (L) [4.62

10-4;

^2.0910-3]

0TotalTotal ________________________X [1.16

10-3;

1.56

10-]3

Typical (laboratory):

~best

^case

-4 ^PFDLab

distribution Pressure (P) [2.72

103;

4.7410-] worst case -

PFDLab-Field

distribution

2005 4 3

Temp. (T) [8.1810 2.4910]

Level(L) [6.5610-;2.00104]

NAMUR

__ X I Best case

(field)

r_

^{[__ Sensor}

IV. BACKTRACKING OF DEVIATIONS Typical - z lSLisor

(field) Logicsolver

Analyzing Table 11 it becomes obvious that final element Typical i Final element parts seem to look similar for single-channel loops. They

TIboatol)

consistofa PLCoutput, connected with a solenoid valve which

Ilbraoy

controls the actuatorofaball valve. 0% 20% 40% 60% 80% 100%

lEC

61508says that 35% of the loop PFD is caused by the _

sensor, 15% bythe logic solver and 50% by the final element

NAMUR

C Worst case

part. In combination with theprevious statementfortypicals no

(field) ISenr

^I

ranking between the NAMUR groups "Pressure",

Typical

- _ ,,1 c Sensor

"Temperature" and "Level" should be observable.

However,

a

(field)

- I

Logic

solver

ranking

does exist.

Therefore, splitting

the PFD on sensor, ^Til ElFinal element

logic solver and final element part might be a promising Typic l IJ

approach forthe isolationofmistake sources.

(laborntori)

The necessary information for the typicals is immediately 0% 20% 40% 60% 80% 100%

available as it isalready content ofthe bottom-up calculation.

Fig.

2: Distribution of

loop

PFD for "Total"

For reasonsofcompleteness a"Total"group is alsogenerated asaverageofthetypical PFDbandwidths.

For the NAMUR data moreexpense is required. Fortunately, NAMUR Bestcase

in the years 2004 and 2005 a detailed failure splitting on

(field)

T ^Sensor

sensor, logic solver and final element part does exist. All Typical

further calculations are based on a cumulative NAMUR data

(field)

L - I U

Logic

solver set 2004/ 2005, because a more detailed failure splitting

TEl

ri Final element

causes alower numberof failures inthesubgroups. Hence, an

YPI

ca accumulation is reasonable for keeping the same level of

(laboratoy)

statistical accuracy. 0% 20% 40% 60% 80% 100%

A. DISTRIBUTION OF LOOPPFD

NAMURl_

(field) 1NI

^I

J)

^Worstcase

Based on the NAMUR data set 2004/

2005,

for each group Tical [ f_r , Sensor

("Total", "Pressure", "Temperature"

and

"Level")

PFD

(fild_

^Loicsove

confidence intervals can be estimated for sensor,

logic

solver (field Final

element

and final element part separately. The relation of the

PFDiow Typical

boundaries leads to a best case NAMUR distribution (field) for

(laboratory)

each group. Applying the same procedure to the PFDUp 0% 20% 40% 60% 80% 100%

boundaries delivers the corresponding worst case NAMUR Fig. 3: Distribution

of

loop PFDfor"Pressure"

distributions(field), see Figs. 2 -5 "NAMUR (field)".

The logic solver part is not examined as it has no significant

NAMUR^P 1 influence onthe

loop

PFD. The PFD results ofthesensorand

(field)

Bestcase final element partsare shown in Figs. 6 and 7. Theobserved

Typical

^{-____ -} -~ Sensor

specifications

arechosen

according

to the PFD distributions in

(field) J Logic solver

chapter IVA.

TYipicaI EFinalelement

(laboratory)

_1 OE-00-

0% 20% 40% 60% 80% 100%

E l,OE-Ol-

NAMUR _! Won cas

*I

NAMUR

(field)

(field) 2 1,0E-02 --- -

*Typical(field)

Typical Sensor Typical

(laboratory)

(field) ELogicsolver i

,UE-03----

Typical

~~~~~~~~~~~~E

Final element 2

Typical

(laboratory)

,OE-04-

0% 20% 40% 66% 80% 100% Bestcase Worst case

Fig.

4: Distribution of

loop

PFD for

"Temperature" Fig.

7:

PFDfinal

^element"Total"

NAMUR V. CONCLUSIONS

(fMU

^{ld Bestcase}

(field) I ___ I - ___ - Sensor The results of bottom-up (typicals) and top-down approach

Typical

F I *

Lic sler

(NAMURdata)arepresentedbyagraphicalillustration.

(field) F o s le

______

m~~~ElFinal

element Typical

(I

abo

_rato_ry_

^,_

E, NMAMUR

²⁰⁰³

^(field)

Typical (laboratory)

0% 20% 40% 60% 80% 100% [4 AMUR 2004

(field)

U

Typical (field)

E*

NAMUR

²⁰⁰⁵(field)

NAMUR W case

(field)

Worstcase

Total

Typical Sensor

Typical ____ ____ ___ -~ *Logic solver

(field)

^E

Final

element Pressure

Typical

(laboratory)

_{0% 20% 40% 60% 80% 100%}

ITempierature,IiIII

,,I1 Fig. 5: DistributionofloopPFDfor "Level"

_1

i_

Level:

B. AVERAGE PFD OF SENSOR- AND FINAL ELEMENT Z Z

PART

I>SL 4 SIL

4

$IL 3 SIL 2 SILl <S,IL, 1

For estimating the dimension ofdeviation between bottom- . ^.4 ^.2

up andtop-down a consideration ofthe absolutesensor,

logic

10 10 10 10 10 10

PFDavg

¹⁰

solver andfinal element PFDs is reasonable. Afirst

analysis

is

Fig.

8: Results-

bottom-up

versus

top-down approach

performed forthe"Total" groups.

Figure 8 shows the PFDconfidence intervals 2003 to 2005 1

,UE+00 -of

the NAMUR data

[10]

^aswellasthe PFDbandwidthsof the typicals. As the difference between each consecutive SIL PFD range is one decimal power a logarithmic

scaling

is chosen.

1,OE-Ol ^--

^{- -}- - - -- - -

Based on Figure 8 several statements could be made:

C

lstNAMtUR ^(field) 1ststatement: Analyzing

thethree

single-channel subgroups

of

> 1

6E-62--

-- UTypical

(field)

the NAMUR data, a kind of PFD ranking can be extracted: The best PFD

spectrum

is verified for the

"Temperature"

and E_

Typical (laboratory)

"Level" loops. "Pressure" loops range significantlyworse. This

1

OE-03

- --- - holdsforall threeyears ofthe NAMUR data. In contrast to the

| | * |*

~~~~~top-down

method no comparable effectcan be derived for the

1

0E-041

bottom-up approach. The PFD spectra (Fig. 8 "Typical (field)")

almostmirror congruency.

B;est

caseFig. 6: PFDsensorWorstcase"Total" 2gapnd statement:between the PFDFor theconfidencesingle-channelintervals and the PFD typicalloops there IS a large

bandwidths, see Fig. 8 "NAMUR (field)" and "Typical (field)". [3] L. Litz, D. DOpont and P. Netter, "SILValidationof Safety Although there is an intersectionfor "Pressure", the results are Instrumented Loops in Use by Statistical Methods", in not comparable in a strict sense. A correct comparison must IEEEPCIC EuropeConference Record, 2005, pp 69-76.

proceed between "NAMUR (field)" and "Typical (field)" in Fig. [4] Exida.com L.L.C., Safety Equipment Reliability 8. These field results do not only lie totally disjointfrom each Handbook, second edition,Sellerville (USA), 2005.

other, they even occupy completely different SIL PFD ranges. [5] SINTEF Industrial Management, OREDA - Offshore Being on thesafe side for the PFD bandwidths as for the PFD Reliability Data, Det Norsk Veritas, Hovik (Norway), confidenceintervals only the worst case would be regarded as 2002.

proven. Hence, for each single-channel typical only a PFD in [6] S. Hauge, P. Hokstad, Reliability Data for Safety the SIL 1 PFD range is verified. This is in contrast to the top- InstrumentedSystems-PDSData Handbook, SINTEF, downrealitycomfortably fulfilling SIL2. Trondheim (Norway), 2004.

Isolating the reasons for the large differences, the [7] MIL-HDBK 217F (Notice 2), Reliability Prediction of distribution ofthe loop PFD on sensor, logic solver and final Electronic Equipment, Department of Defence, element part delivers threeimportant observations: WashingtonDC(USA), 1995.

1st observation: The often cited PFD distribution in IEC 61508 [8] ICI databaseGEG 3.2.

[9] (35% sensor, 15% logic solver and 50% final elementpart) [9] IEC 61508, parts 1-7, Functional safety of electrical!

cannot be confirmed neither by the bottom-up typical electronic! programmable electronic safety-related bandwidths nor the top-down confidence intervals. Its systems, 2002.

incompatibility with the NAMUR data [10] indicates the [10] NAMUR, "Interessengemeinschaft Automatisierungs- incoherency of the classical distribution with conditions in technik der Prozessindustrie", http://www.namur.de.

European plants. [11] ZVEI, Zentralverband Elektrotechnik- und

2nd

observation: The

top-down approach (NAMUR data)

Elektronikindustrie

e.V.", http://www.zvei.de.

identifies the sensor part as main contributorofthe loop PFD,

thebottom-up method points at thefinalelement part. VIl. VITAE

3rd

observation: According to the bottom-up calculations the

logic solver is nosignificant fraction ofthe loop PFD. However, Daniel DOpont graduated from the University of the NAMUR data assign approximately 10% ofthe loop PFD Kaiserslautern in 2004 with a Dipl.-Math. oec. degree. From tothelogicsolver part. 2004 till today he is research assistant at the Institute of Comparing the absolute sensor and final element PFDs Automatic Control at the University of Kaiserslautern, (Figs. 6 and 7) leads to an interesting phenomenon: Thefield Germany. His major fields of research are methods for SIL sensorpartPFDs ofthetypicals are 2 to 11 timesworsethan proofevaluation.

the NAMUR data ones. The ratio between thecorresponding Lothar Litz graduated from the University of Karlsruhe in final element part PFDs is even 42 to 176 times worse. 1975 with a

Dipl.-Ing

degree. In 1979 and 1982, respectively, From all observations a hint indicating too conservative he got his doctor and the Dr.-habil. degree from the same assumptionscanbe derived caused byalackofreliablefailure university. He was a control engineer with the German rate information. Consequently, the bottom-up approach via HoechstAG between 1982 and 1992. From 1992 till today he commercial software tools has not been able to map realistic is professoratthe University of Kaiserslautern, Germany, and loop PFDs so far. The main source for the shown head of the Institute of Automatic Control. Since 2005 he is discrepancies is located in the final element part. Here, a also vice president ofthe University of Kaiserslautern. Major deviation ofmorethan two decimal powers from the NAMUR fields of research and education are Safety-related Automatic data could be demonstrated. One could doubt the reliability of Control, Failure Detection and Diagnosis, Ambient Intelligence the NAMUR data base. Thus, stability analyses were and Wireless NetworkedControlSystems.

performed with respect to structure and behavior over time PirminNettergraduated fromtheUniversity of Heidelberg in (2003 to 2005). The resultsconfirmthe NAMUR data as highly 1975 with a Dipl.-Phys. degree. In 1979 he received his sophisticated information source. Hence, single-channel loops doctorate. He was a control engineer with the German installed in European plants comfortably fulfill SIL 2 with HoechstAG between 1981 and 1996. From 1996 till todayhe

respect tothe PFD. is memberoftheInfraserv

Hochst

and head ofthedepartment

To close the gap between bottom-up and top-down forwork and plant safety. His major fields of work are work approachthere iscooperation between NAMUR and ZVEI.On safety, radiation protection and plant safety, especially plant the one hand standard failure rates for proven-in-use safety bydevicesofprocesscontrolengineering.

components are derived of the NAMUR data. On the other

hand manufacturer rates are modified based on realistic Vil.NOMENCLATURE environmental conditions.

SIS Safetyinstrumented system.

VI. REFERENCES SIF Safetyinstrumentedfunction.

SIL Safety integritylevel.

[1] IEC 61511, parts 1-3, Functional

safety:

Safety Rp Process risk(moneypertimeunit).

Instrumented Systems for Process Industry Sector, 2002. RT Tolerable risk (money per time unit).

[2] L. Litz, "Safety and Availability of Components and RR Residual risk (money per time unit).

Systems", in IEEE PCIC Europe Conference Record, LOPA Layers of protection analysis.

2004, pp 16-21. PLC Programmable logic controller.

HFT Hardware fault tolerance (absolute).

SFF Safe failure fraction(%).

PFD Averageprobability of failureon demand MTTDDU Mean time to detection ofdangerous, undetected

(absolute). failures(years).

MooN MoutofNvoting (absolute). p Failureprobabilityrelated to AT(absolute).

ADU

Rateof

dangerous,

undetectedfailures

(FIT).

^Plow Lowerconfidenceinterval

boundary

ofp

FIT Failures in time(1/

109h)

(absolute).

BPCS Basic process control system.

plup

Upper confidenceintervalboundary ofp

RTD Resistancetemperature detector. (absolute).

PTC Prooftestcoverage(%).

PFD,ow

Lowerconfidenceintervalboundary ofPFD

T,

Proof testinterval

(years). (absolute).

L Numberofloops(absolute).

PFDup

Upper confidenceintervalboundary ofPFD

FDU

Numberof

dangerous,

undetected failures

(absolute).

(absolute).

AT Observationperiod (years).

1-a Confidencelevel (%).

MTTR Mean time torepair (years).